Follow:

Share

A cyberattack on a provider working for Edinburgh City Council has resulted in criminals stealing more than 13,000 email addresses belonging to residents of the city, the Council has admitted.

The attack, which happened on 3 July at an un-named data centre, only affects email addresses with a total of 13,134 addresses believed to have been lifted from a cache of unknown size, all people on the Council's email list.

News of the incident emerged after the Council sent an email apology to affected residents.

“The attacker copied some email addresses, including yours, but we would like to reassure you that no other personal data was taken,” it read.

Users who had registered to log in to the Council’s website would have to change their passwords, it added.

Although a relatively minor attack - the incident did not compromise more valuable data such as names and addresses - the threat to affected users remains real. Cybercriminals trade legitimate email addresses for use in phishing and other scams. Knowing these addresses are of people based in Scotland could aid more localised targeted attacks.

“At this point the current breach does not seem serious in terms of its possible impact on citizens, but could have serious implications on the trust levels of citizens with the council,” commented Napier University’s Professor Bill Buchanan in a public blog on the attack.

The attack raised deeper questions about whether the public sector was able to keep up in an age of budget cuts.

“The worry here is that the public sector, but in the UK and the US, are generally struggling to keep up with modern computer security standards, especially in implementing IDS - Intrusion Detection Systems - and SIEM - Security Information and Event Management.”

A second issue - that of partner security was raised by Barracuda Networks’ EMEA vice president, Wieland Alge.

“The most important takeaway here is that just because your hosting service or CDN or cloud provider says that they provide “a secure environment”, it (almost) never means that they secure your web applications as well.

“Organisations should query their providers regarding web application security specific features and explore avenues of supplementing these,” he said.